myctrl.tools
Compare

CM-12(1)Automated Tools To Support Information Location

MODERATE
HIGH

>Control Description

Use automated tools to identify organization-defined information by information type on organization-defined system components to ensure controls are in place to protect organizational information and individual privacy.

>Cross-Framework Mappings

SCF

DCH-24.1
Compare

>Programmatic Queries

Beta

Related Services

Amazon Macie
AWS Security Hub

CLI Commands

Enable Macie to discover sensitive data locations
aws macie2 enable-macie --finding-publishing-frequency FIFTEEN_MINUTES --region us-east-1
Create Macie custom data identifiers for information classification
aws macie2 create-custom-data-identifier --name PII-Detector --regex-pattern "(\d{3}-\d{2}-\d{4})" --region us-east-1
List Macie findings for sensitive data in buckets
aws macie2 list-findings --filter-criteria '{"resourceType": [{"eq": ["S3Bucket"]}]}' --region us-east-1
Get discovery job status for S3 bucket scanning
aws macie2 describe-classification-job --job-id job-123456 --region us-east-1
Open AWS ConsoleDocumentation

>Supplemental Guidance

The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-12(1) (Automated Tools To Support Information Location)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-12(1)?
  • How frequently is the CM-12(1) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-12(1)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-12(1) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-12(1)?
  • How is CM-12(1) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-12(1) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-12(1)?
  • What audit logs, records, reports, or monitoring data validate CM-12(1) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-12(1) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-12(1) compliance?

Ask AI

Configure your API key to use AI features.